by Hatem Naguib,
Networking & Security
*Co-Authored by Brad Hedlund
Networking is stuck in the past
It wasn’t that long ago when provisioning server resources for an application was manual, time consuming, hardware dependent, error prone, and grossly inefficient. As with many computer science problems, the solution to this inefficiency was automation through software abstraction – enabled by server virtualization. The release of VMware ESX paved the way for enterprises to rapidly deploy any application on any server, non-disruptively, by enabling the fundamental abstraction of servers from hardware – creating the virtual machine. Through server virtualization software, application servers are encapsulated into virtual machines, and programmatically deployed with APIs on top generalized pools of CPU and memory resources. The first important step toward the software defined data center.
Meanwhile, through all of the advances in server virtualization and cloud computing, networking has remained stuck in the past. Still today, provisioning network and security for an application is a manual effort; requiring a human, keyboard, and CLI. Each manual configuration must be carefully engineered across numerous devices, resulting in time consuming and error prone deployments. And coupling the network’s capabilities to hardware limits choice, creates choke points, and restricts workload placement – creating an unnecessary drag on the overall efficiency of everything in the infrastructure (servers and storage) attached to the traditional networking paradigms conceived in the 20th century.
It’s time to virtualize Networking
To realize the full potential of the software defined data center, networking and security must move forward into the 21st century with a similar software abstraction layer that transformed computing – network virtualization. VMware NSX paves the way for enterprises to rapidly deploy networking and security for any application, on any general purpose hardware, non-disruptively, by enabling the fundamental abstraction of networks from networking hardware – creating the virtual network.
Through network virtualization, more simplified logical networking devices and services can be abstracted away from the complexities of physical network engineering, exposed as logical networking objects across a fully distributed virtualization layer, and consumable through northbound APIs. In this process, the network virtualization layer leaves behind a more simplified physical network layer. VMware NSX exposes these simplified logical networking devices and services as logical ports, logical switches, logical routers, distributed virtual firewalls, virtual load balancers, and more, with monitoring, QoS, and security; backed by VMware NSX edge virtualization software or partner appliances.
These logical network abstractions are similar in principle to how server virtualization abstracts and exposes simplified elements of virtual CPU, virtual memory, and virtual storage – assembled in any combination to create a virtual machine. And like server virtualization, any combination of logical network device and security policy can be assembled together into any topology — creating a virtual network — deployed programmatically through APIs. A complete and feature rich virtual network can be defined at liberty from any constraints in physical switching infrastructure features, topologies or resources.
With network virtualization, each application’s virtual network and security topology is equally mobile and in lock-step with the fluid virtual compute layer, automated with APIs, and decoupled from custom/proprietary hardware.
VMware NSX: a platform for Network Virtualization
VMware NSX will be the world’s leading network and security virtualization platform providing a full-service, programmatic, and mobile virtual network for virtual machines, deployed on top of any general purpose IP network hardware. The VMware NSX platform brings together the best of Nicira NVP and VMware vCloud Network and Security (vCNS) into one unified platform. VMware NSX exposes a complete suite of simplified logical networking elements and services including logical switches, routers, firewalls, load balancers, VPN, QoS, monitoring, and security; arranged in any topology with isolation and multi-tenancy through programmable APIs – deployed on top of any physical IP network fabric, resident with any compute hypervisor, connecting to any external network, and consumed by any cloud management platform (e.g. vCloud, OpenStack, CloudStack).
The VMware NSX platform is assembled with five basic components: Controller Cluster, Hypervisor vSwitches, Gateways, Ecosystem partners, and NSX Manager.
The VMware NSX controller cluster is the highly available scale-out distributed system of x86 machines responsible for the programmatic deployment of virtual networks across the entire architecture. The controller cluster accepts API requests from northbound management platforms (e.g. vCloud, OpenStack), calculates the virtual network topology, and proactively programs the hypervisor vswitches and Gateways with the appropriate real-time configuration and forwarding state. As the computing environment dynamically changes, the controller cluster updates the necessary components to keep the virtual network state in lock-step with the virtual computing state.
The NSX controller cluster provides a logically centralized, yet physically distributed control layer. Each x86 machine in the cluster shares an equal portion of all the work required, and provides immediate backup capacity for any lost cluster nodes. Additional nodes can be added to the cluster as needed when the virtual networks under management need to scale.
The NSX controller cluster has visibility to all virtual machines and network services provisioned with NSX. With this authoritative knowledge, the NSX controller cluster can preemptively program all NSX components with the virtual network topology. The NSX controller cluster is completely out-of-band, and never handles a data packet.
Each hypervisor has a high performance in-kernel vSwitch with a programmable L2-L4 data plane and configuration database. The controller cluster programs each hypervisor vSwitch with a real-time configuration and forwarding state, to match the desired virtual network topology to which the virtual machines are attached. As any given virtual network spans multiple hypervisors, the controller dynamically programs IP encapsulation tunnels (STT and VXLAN) between hypervisors, decoupling the VM address space and virtual networks from the physical network fabric – similar to the encapsulation and decoupling of virtual machines from physical machines.
The combination of API interfaces, intelligent scale-out controller, scale-out in-kernel L2-L4 software data plane, and tunneling, form the basic building block exposing simplified L2-L4 virtual network elements arranged in any arbitrary topology, for any application.
Beyond simple network topology virtualization, VMware NSX enables new and previously unthinkable paradigms in network security virtualization. Paradigms such as decoupling network security from IP addressing, enabled by a high performance fully distributed in-kernel state full firewall attached directly to virtual machines, capable of triggering on a rich set of high level objects and context – far beyond basic TCP/IP header inspection.
VMware NSX provides scale-out Gateway services that connect virtual networks within VMware NSX to non-virtual hosts, remote sites, and external networks. Gateway nodes provide a Gateway service, implementing the same programmable vSwitch as hypervisors, and managed by the controller cluster.
VMware NSX Gateway services provide a secure path into and out of the software defined data center. NSX Gateway nodes can be deployed in active/active HA pairs, and offer IP routing, MPLS, NAT, Firewall, VPN, and Load Balancing services for securing and controlling traffic at the north/south edge of one or more NSX virtual networks.
Some applications within NSX might need to connect to services on non-virtual hosts within the data center, such as IP storage. For this requirement, NSX offers L2 Gateway services where HA pairs of dedicated L2 Gateway nodes, or partner Top of Rack switches, can bridge between NSX virtual networks and VLANs on a physical network. L2 Gateway services can also be placed at remote sites, bridging a remote VLAN to an NSX virtual network, for migrating workloads to and from the cloud data center.
The cloud management platform defines any necessary L2 or L3 Gateway services via API requests to the controller cluster, which calculates the topology and programs Gateway nodes with the necessary tunnels (VXLAN, STT) and forwarding state, thereby attaching the NSX virtual networks to the appropriate Gateway service.
Note: VMware NSX provides intelligent replication (over tunnels) for broadcast, multicast, and unknown unicast frames – providing logical switches within NSX a familiar L2 service model over any standard IP routed network, with or without IP multicast. VMware NSX can also offload IPSec encryption for NSX virtual networks and tunnels that extend to remote sites.
At the heart of VMware NSX is an extensible platform that enables partners to register their services with the VMware NSX controller, and seamlessly insert the respective capabilities into virtual networks. The use of open interfaces and open protocols allows an ecosystem of partners to easily integrate with VMware NSX using well known interfaces based on widely used open source software. More on this topic is available in this blog. Likewise, partners can attach L4-L7 service appliances to VMware NSX to be exposed as services available to virtual networks.
VMware NSX Manager provides a web-based GUI management dashboard for user friendly human interaction with the VMware NSX controller cluster API, for system setup, administration and troubleshooting. The system administrator can view logs and connectivity status of all VMware NSX components and virtual network elements (logical switches, logical routers, gateways, etc.). Powerful troubleshooting tools facilitate an easy mapping between virtual network topologies and the physical underlying IP network.
Like a virtual machine, VMware NSX Manager can take snapshots of the entire state of the virtual network for backup, restores, introspection, and archival.
Bringing it all together
VMware NSX is the unified platform for network and security virtualization, accelerating the capabilities of networking into the 21st century through the very same software-driven abstractions that enabled virtualized computing. In doing so, VMware NSX brings with it the same desirable properties of server virtualization to networking and security; rapid programmatic provisioning, non-disruptive deployment, supporting legacy and new applications simultaneously on any general purpose IP networking hardware, and decoupling networking services from rigid hardware into flexible and scalable software.
VMware NSX reproduces the useful properties of a traditional physical network into a more simplified logical network abstraction layer, with high fidelity, delivering flexible network topologies, features, and security for both enterprise applications and web scale cloud computing workloads.
Expected to launch in the second half of 2013, VMware NSX represents the full potential of network virtualization by working across VMware and non-VMware hypervisors and cloud management systems, as well as any underlying networking hardware. Customers already leveraging vCloud Networking and Security and the Nicira Virtualization Platform (NVP) to virtualize networking will have a simple path to migrate to VMware NSX.
Editor’s Note: To stay up to date with the latest on Network Virtualization follow the VMware Network Virtualization Blog